lemoncurry/lemonauth/tokens.py

from jose import jwt

from datetime import datetime, timedelta
from django.contrib.auth import get_user_model
from django.conf import settings
from django.http import HttpResponse


def auth(request):
    if 'HTTP_AUTHORIZATION' in request.META:
        auth = request.META.get('HTTP_AUTHORIZATION').split(' ')
        if auth[0] != 'Bearer':
            return HttpResponse(
                'authorisation with {0} not supported'.format(auth[0]),
                content_type='text/plain',
                status=400
            )
        if len(auth) != 2:
            return HttpResponse(
                'invalid Bearer auth format, must be Bearer <token>',
                content_type='text/plain',
                status=400
            )
        token = auth[1]
    elif 'access_token' in request.POST:
        token = request.POST.get('access_token')
    elif 'access_token' in request.GET:
        token = request.GET.get('access_token')
    else:
        return HttpResponse(
            'authorisation required',
            content_type='text/plain',
            status=401
        )

    try:
        token = decode(token)
    except Exception as e:
        return HttpResponse(
            'invalid micropub token',
            content_type='text/plain',
            status=403,
        )

    return MicropubToken(token)


class MicropubToken:
    def __init__(self, tok):
        self.user = get_user_model().objects.get(pk=tok['uid'])
        self.client = tok['cid']
        self.scope = tok['sco']

        self.me = self.user.full_url
        self.scopes = self.scope.split(' ')

    def __contains__(self, scope):
        return scope in self.scopes


def encode(payload):
    return jwt.encode(payload, settings.SECRET_KEY, algorithm='HS256')


def decode(token):
    return jwt.decode(token, settings.SECRET_KEY, algorithms=('HS256',))


def gen_auth_code(req):
    code = {
        'uid': req.user.id,
        'cid': req.POST['client_id'],
        'uri': req.POST['redirect_uri'],
        'typ': req.POST.get('response_type', 'id'),
        'iat': datetime.utcnow(),
        'exp': datetime.utcnow() + timedelta(seconds=30),
    }
    if 'scope' in req.POST:
        code['sco'] = ' '.join(req.POST.getlist('scope'))

    return encode(code)


def gen_token(code):
    tok = {
        'uid': code['uid'],
        'cid': code['cid'],
        'sco': code['sco'],
        'iat': datetime.utcnow(),
    }
    return encode(tok)
Switch from PyJWT to python-jose, since it supports more features and has more documentation 2017-11-03 02:42:57 -04:00			`from jose import jwt`
Switch from database-persisted auth codes to stateless JSON Web Tokens :) 2017-11-02 01:36:16 -04:00
			`from datetime import datetime, timedelta`
Dramatically improved processing of Micropub tokens which supports both the Authorization header and the access_token field approaches 2017-12-17 17:51:06 -05:00			`from django.contrib.auth import get_user_model`
Switch from database-persisted auth codes to stateless JSON Web Tokens :) 2017-11-02 01:36:16 -04:00			`from django.conf import settings`
Dramatically improved processing of Micropub tokens which supports both the Authorization header and the access_token field approaches 2017-12-17 17:51:06 -05:00			`from django.http import HttpResponse`


			`def auth(request):`
			`if 'HTTP_AUTHORIZATION' in request.META:`
			`auth = request.META.get('HTTP_AUTHORIZATION').split(' ')`
			`if auth[0] != 'Bearer':`
			`return HttpResponse(`
			`'authorisation with {0} not supported'.format(auth[0]),`
			`content_type='text/plain',`
			`status=400`
			`)`
			`if len(auth) != 2:`
			`return HttpResponse(`
			`'invalid Bearer auth format, must be Bearer <token>',`
			`content_type='text/plain',`
			`status=400`
			`)`
			`token = auth[1]`
			`elif 'access_token' in request.POST:`
			`token = request.POST.get('access_token')`
			`elif 'access_token' in request.GET:`
			`token = request.GET.get('access_token')`
			`else:`
			`return HttpResponse(`
			`'authorisation required',`
			`content_type='text/plain',`
			`status=401`
			`)`

			`try:`
			`token = decode(token)`
			`except Exception as e:`
			`return HttpResponse(`
			`'invalid micropub token',`
			`content_type='text/plain',`
			`status=403,`
			`)`

			`return MicropubToken(token)`


			`class MicropubToken:`
			`def __init__(self, tok):`
			`self.user = get_user_model().objects.get(pk=tok['uid'])`
			`self.client = tok['cid']`
			`self.scope = tok['sco']`

			`self.me = self.user.full_url`
			`self.scopes = self.scope.split(' ')`

			`def __contains__(self, scope):`
			`return scope in self.scopes`
Switch from database-persisted auth codes to stateless JSON Web Tokens :) 2017-11-02 01:36:16 -04:00

Refactor the actual JWT calls into separate functions since I'll be needing them for tokens as well as auth codes 2017-11-02 23:37:39 -04:00			`def encode(payload):`
			`return jwt.encode(payload, settings.SECRET_KEY, algorithm='HS256')`


			`def decode(token):`
			`return jwt.decode(token, settings.SECRET_KEY, algorithms=('HS256',))`


Add the current user's ID to the auth code, will be handy when making a token since we need to know who the token's for 2017-11-03 00:51:27 -04:00			`def gen_auth_code(req):`
Switch from database-persisted auth codes to stateless JSON Web Tokens :) 2017-11-02 01:36:16 -04:00			`code = {`
Add the current user's ID to the auth code, will be handy when making a token since we need to know who the token's for 2017-11-03 00:51:27 -04:00			`'uid': req.user.id,`
Simplify the auth code format a little: the 'me' value can be computed from the user ID and so is redundant 2017-11-03 01:14:30 -04:00			`'cid': req.POST['client_id'],`
			`'uri': req.POST['redirect_uri'],`
			`'typ': req.POST.get('response_type', 'id'),`
Improve JWT security by specifying the algorithm used, and also use shorter key names to make the code a little shorter 2017-11-02 23:33:27 -04:00			`'iat': datetime.utcnow(),`
			`'exp': datetime.utcnow() + timedelta(seconds=30),`
Switch from database-persisted auth codes to stateless JSON Web Tokens :) 2017-11-02 01:36:16 -04:00			`}`
Simplify the auth code format a little: the 'me' value can be computed from the user ID and so is redundant 2017-11-03 01:14:30 -04:00			`if 'scope' in req.POST:`
			`code['sco'] = ' '.join(req.POST.getlist('scope'))`
Switch from database-persisted auth codes to stateless JSON Web Tokens :) 2017-11-02 01:36:16 -04:00
Simplify the auth code format a little: the 'me' value can be computed from the user ID and so is redundant 2017-11-03 01:14:30 -04:00			`return encode(code)`
Implement a token endpoint - currently all tokens last forever and can't be revoked, but I can add revocation later without too much trouble 2017-11-03 02:18:00 -04:00

			`def gen_token(code):`
			`tok = {`
			`'uid': code['uid'],`
			`'cid': code['cid'],`
			`'sco': code['sco'],`
			`'iat': datetime.utcnow(),`
			`}`
Switch from PyJWT to python-jose, since it supports more features and has more documentation 2017-11-03 02:42:57 -04:00			`return encode(tok)`